Apple iOS 4.3.4 Update Fixes PDF Vulnerability

Apple on Friday released iOS 4.3.4, which fixes an iOS vulnerability that could have let hackers remotely control iPhones, iPads, and iPod touches.

The update "fixes [a] security vulnerability associated with viewing malicious PDF files," Apple said. It is available now for iPhone 3GS and iPhone 4s running iOS 3.0 and higher, third-generation iPods with iOS 3.1 and higher, and iPads with iOS 3.2 and higher.

The update addresses three components of iOS: a buffer overflow in FreeType's handling of TrueType fonts; signedness issue in FreeType's handling of Type 1 fonts; and an invalid type conversion issue in the use of IOMobileFrameBuffer queueing primitives. Together, they could've allowed an attacker to take control of your device via an infected PDF.

Earlier this week, Apple acknowledged the issue and promised a fix via an upcoming software update. "Apple takes security very seriously," a spokesperson said.

The move came after the German Federal Office for Information Security (BSI) issued a warning about the possibility of attacks via PDF files. In a translated version of the report, the agency said clicking on an infected PDF via email or on the Web was enough to infect an iOS device with malicious software and give the attacker administrative privileges on the device.

The warning said there have been no reported attacks, but anyone taking advantage of the vulnerability could potentially access things like passwords, online banking data, calendars, emails, text, or contact information, BSI said. There could also be access to built-in cameras, the interception of telephone conversations, and the GPS localization of the user.

The fix comes amidst the release of JailBreakMe, software that would jailbreak an iOS device using the PDF vulnerability. The program quickly hit 1 million jailbreaks; "be sure to share a link with your friends while it's still available," Grant Paul, one of the creators, tweeted last week.

Apple's last update, 4.3.3, was released in early May and solved a controversial "bug" with Apple's location-based services.

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio